CVE-2020-26870

Name of the Vulnerable Software and Affected Versions DOMPurify versions prior to 2.0.17

Description The issue is related to the DOMPurify library and its failure to protect the structure of a web page. This can be exploited by a remote attacker to perform a cross-site scripting attack. Specifically, the problem occurs because a serialize-parse roundtrip does not necessarily return the original DOM tree, and a namespace can change from HTML to MathML, as demonstrated by nesting of FORM elements.

Recommendations For DOMPurify versions prior to 2.0.17, update to version 2.0.17 or later to resolve the issue. As a temporary workaround, consider restricting the use of the DOMPurify library until a patch is applied.